ASN / RPKI validity / BGP stats / IPv4v6 / Prefix / ASPath / Organization / IP reputation & geolocation lookup tool / Web traceroute server.
This script serves the purpose of having a quick OSINT command line tool at disposal when investigating network data, which can come in handy in incident response scenarios as well.
It can also be used as a web-based traceroute server, by running it in listening mode and launching lookups and traces from a local or remote browser (via a bookmarklet or custom search engine) or terminal (via
elinks or similar tools). Click here for more information about server mode functionality.
INET(6)NUMobject (actual LIR allocation).
-doption, see below for usage info).
Screenshots for every lookup option are below.
The script uses the following services for data retrieval:
It also provides hyperlinks (in server mode) to the following external services when appropriate:
Requires Bash v4.2+. Tested on:
This script requires BASH v4.2 or later. You can check your version by running from your shell:
bash -c 'echo $BASH_VERSION'
Some additional packages are also required for full functionality:
Debian 10 / Ubuntu 20.04 (or newer):
apt -y install curl whois bind9-host mtr-tiny jq ipcalc grepcidr ncat aha
Debian 9 / Ubuntu 18.04 (or older):
apt -y install curl whois bind9-host mtr-tiny jq ipcalc grepcidr nmap git gcc make && \ git clone https://github.com/theZiz/aha.git && \ make install -C aha/
yum -y install curl whois bind-utils mtr jq nmap-ncat ipcalc && \ rpm -ivh http://rpmfind.net/linux/opensuse/tumbleweed/repo/oss/x86_64/grepcidr-2.0-1.1.x86_64.rpm \ http://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/a/aha-0.5.1-1.el8.x86_64.rpm
env ASSUME_ALWAYS_YES=YES pkg install bash coreutils curl whois mtr jq ipcalc grepcidr nmap aha
MacOS (using Homebrew):
brew install bash coreutils curl whois mtr jq ipcalc grepcidr nmap aha && brew link mtr
Notes for MacOS users:
mtrstill can't be found after running the command above, this may help to fix it.
asn) traces are not working on your system, you should either run
asnas root using sudo, or set the proper SUID permission bit on the mtr (or better, on the mtr-packet) binary.
using WSL2 (recommended):
Install Windows Subsystem for Linux (v2) by following Microsoft's guide. On step 6, choose one of the Linux distributions listed above (Ubuntu 20.04 LTS is recommended). Once your WSL2 system is up and running, open a Linux terminal and follow the prerequisite installation instructions above for your distribution of choice.
Note for WSL2 users:
asn -l). An alternative could be to run it as a background process (optionally also using
nohup), or using Windows' own task scheduler to start it at boot.
Most of the prerequisite packages listed above for Debian 10 / Ubuntu 20.04 (or newer) are obtainable directly with Cygwin's own Setup wizard (or through scripts like apt-cyg). You will still have to manually compile (or find a suitable third-party precompiled binary) the mtr, grepcidr and aha tools. Instructions on how to do so can be found directly on the respective projects homepages.
Afterwards, to install the asn script from your shell to /usr/bin:
curl "https://raw.githubusercontent.com/nitefood/asn/master/asn" > /usr/bin/asn && chmod 0755 /usr/bin/asn
You can then use the script by running
Note: this step is optional, and these instructions are only for systemd-based Linux systems (most current major distributions).
To control the asn server with utilities like systemctl and service, and to enable it to automatically start at boot, follow these steps:
create a new file called
/etc/systemd/system/asn.service with the following content (make sure you edit the ExecStart line to match your installation path and desired startup options):
[Unit] Description=ASN lookup and traceroute server After=network.target StartLimitIntervalSec=0 [Service] Type=simple Restart=always RestartSec=1 User=nobody ExecStart=/usr/bin/asn -l 0.0.0.0 [Install] WantedBy=multi-user.target
Enable the CAP_NET_RAW capability for the mtr-packet binary:
setcap cap_net_raw+ep $(which mtr-packet)
Explanation: this will allow mtr-packet to create raw sockets (and thus perform traces) when launched as an unprivileged user (we're setting up the service to run as user nobody for added security), without the requirement of the setuid-root bit and without having to invoke mtr as root. A thorough explanation for this can be found here.
Now you can refer to standard systemd utilities to perform service operations:
systemctl start asn
systemctl stop asn
systemctl status asn
journalctl -f -u asn
systemctl enable asn
systemctl disable asn
The script will perform first-level IPv4/v6 reputation lookups using StopForumSpam, and in case of a match it will perform a second-level, in-depth threat analysis for targets and trace hops using the IPQualityScore API. The StopForumSpam API is free and requires no sign-up, and the service aggregates a huge amount of blacklist feeds.
Still, in order to use the IPQualityScore API for in-depth threat reporting, it's necessary to sign up for their service (it's free) and get an API token (it will be emailed to you on sign-up), which will entitle you to 5000 free lookups per month.
Once obtained, the api token should be written to one of the following files (parsed in that order):
/etc-based file should be used when running asn in server mode. The
$HOME-based file takes precedence if both files exist, and is ideal for user mode (that is, running
asn interactively from the command line).
In order to do so, you can use the following command:
TOKEN="<your_token_here>"; mkdir "$HOME/.asn/" && echo "$TOKEN" > "$HOME/.asn/iqs_token" && chmod -R 600 "$HOME/.asn/"
TOKEN="<your_token_here>"; mkdir "/etc/asn/" && echo "$TOKEN" > "/etc/asn/iqs_token" && chmod -R 700 "/etc/asn/" && chown -R nobody /etc/asn/
asn will pick up your token on the next run (no need to restart the service if running in server mode), and use it to query the IPQualityScore API.
asn [OPTIONS] [TARGET]
asn [-v] -l [SERVER OPTIONS]
TARGET can be one of the following:
asn -l 0.0.0.0)
asn -l 12345)
asn -l ::1 12345)
-m, --max-conns <n>
Note: Every option in server mode (after
-l) is passed directly to the ncat listener. Refer to
man ncat for more details on the available commands.
Unless specified, the default IP:PORT values of 127.0.0.1:49200 will be used (e.g.
TARGETtype, if invoked with
-nor without options,
Detailed hop info reporting and RPKI validation can be turned on by passing the
[-d|--detailed] command line switch. This will enable querying the public pWhois server and the RIPEStat RPKI validation API for every hop in the mtr trace. Relevant info will be displayed as a "tree" below the hop data, in addition to Team Cymru's server output (which only reports the AS name that the organization originating the prefix gave to its autonomous system number). This can be useful to figure out more details regarding the organization's name, the prefix' intended designation, and even (to a certain extent) its geographical scope.
Furthermore, this will enable a warning whenever RPKI validation fails for one of the hops in the trace, indicating which AS in the path is wrongly announcing (as per current pWhois data) the hop prefix, indicating a potential route leak or BGP hijacking incident.
.in their name), pass the
[-o|--organization]command line switch.
The script will perform IP and trace hop geolocation with this logic:
The script will use the ip-api, RIPE IPmap and PeeringDB services to classify target IPs and trace hops into these categories:
whoislookup when Team Cymru, pWhois and PeeringDB have no info about the IP address or prefix. This is usually the case with some PNI prefixes, and will give better insight into the path taken by packets.
Server mode requires two tools for its functionality:
aha. Specifically, aha (the ANSI->HTML converter) v0.5+ is required. The ncat tool is contained inside the nmap package on older distributions (e.g. Ubuntu 18.04, Debian 9), while it is packaged as a standalone tool on newer ones.
Please refer to the installation section and run the appropriate commands to install the required packages for your operating system, and optionally to install the asn server as a systemd service.
The main advantage of running lookups from the browser, is that every IP address and AS number gets converted into a hyperlink, allowing to perform subsequent lookups by simply clicking on them.
When looking up an URL/hostname/domain, quick WHOIS info and links to relevant external resources will be available in the results.
When looking up an AS number, all peering ASNs will be clickable. Also, if an AS peers at a public facility, PeeringDB info for that facility will be linked directly. Furthermore, additional external BGP information sources will be linked, directly for the target ASN.
Here are some examples:
Once started in server mode,
asn will spin up a custom webserver waiting for browser requests. This is what the server-side console looks like:
The server is now ready to accept browser requests (only from the local machine, in this case - since I've launched it with no command line switches, which defaults to listening on 127.0.0.1:49200. Refer to the usage section for more information about the available server options).
Visit this page in your browser and follow the instructions to copy the bookmarklet to your bookmarks toolbar:
If you want to "un-minify" the actual bookmarklet code, you can refer to this site.
Once the trace is finished, an option to share the output on termbin is given to the user. This makes for quick sharing of the traceroute or lookup output with other people:
In order to take full advantage of having
asn inside the browser, it is possible to configure it as a custom search engine for the browser search bar. This allows to leverage the server to search for ASNs, URLs, IPs, Hostnames, and so on, depending on the search string.
Generally speaking, this implies instructing the browser that when a certain keyword is prepended to a search, the following characters (the actual search string, identified by
%s) have to be passed to a certain URL. The URL is then composed according to this logic, and opened just like a normal webpage.
@asn for my keyword, but anything would do. In order to speed up things, one could very well use a shorter tag (e.g.
#) that, when used in the address bar, automatically switches your search engine to the ASN Lookup server.
Note that the leading
@ sign is not mandatory, just handy since it doesn't get in the way of normal searches, but there's much freedom with that.
For quick reference, the location URL string to enter (for both Firefox and Chrome) is:
http://127.0.0.1:49200/asn_lookup&%s. Of course that sends lookup requests to the locally running ASN server.
Here's how to add a search engine in Firefox and Chrome:
Simply create a new bookmark and fill its details like this:
Afterwards, you will be able to run queries and traceroutes by simply entering, for example,
@asn 188.8.131.52 in the browser's location bar.
Right click the location bar and select Manage search engines...
3.Fill in the details as shown below:
As usual, the keyword is entierly customizable to your preference.
In order to access the server remotely, beside binding to
0.0.0.0 (or any other relevant IP address for your scenario), if the host is behind a NAT router, you'll need to forward the listening port (
BIND_PORT) from the host/router outside IP to the actual machine where the ASN server is running on.
It is a single TCP port (by default
TCP/49200), and you can change it via the command line parameters (see Usage).
It is possible to launch remote traces from another command line, and view the results directly in the terminal. All it takes is a compatible text browser, for example
elinks (but you can download results for later reviewing even using
curl or really anything else).
The script makes use of 8-bit ANSI colors for its output, so the command to launch a remote trace using elinks would be something like this:
elinks -dump -dump-color-mode 3 http://<ASN_SRV_IP>:49200/asn_lookup&184.108.40.206
The server logic in itself is very simple: the script implements a basic web server entirely in BASH, leveraging the fact that it can talk to a browser using the HTTP protocol and the HTML language, in a reasonably simple way.
The core behind it revolves around ncat, a very robust and stable netcat-like network tool. This is the actual "server" listening for incoming connection, and spawning connection handlers (that is, 'single-purpose' instances of the
asn script itself) as clients connect.
If you decide to open it to the outside (i.e.: binding it to something that is not localhost, and launching traces from outside your local machine), please bear in mind that there is no authentication mechanism (yet) integrated into the code, so theoretically anybody with the right URL could spawn traceroutes from your server and view the results (bear in mind however that the server sanitizes user input by stripping any dangerous characters).
To contrast that, fortunately
ncat implements a robust allow/deny logic (based both on command line parameters and files, a la
hosts.deny). The script supports passing parameters directly to
ncat, therefore it's possible to make full use of its filtering capabilities and lock the server to a restricted range of trusted IPs.
The available options, and some usage examples, can be viewed by running
Note: if you plan to run the server somewhere else than your local machine, remember to change the bookmarklet code and the custom search engine URL values to reflect the actual IP of the asn server. It is naturally possible to have multiple bookmarklets and search engine keywords to map to different ASN server instances.
For the bookmarklet, you'll need to change this value at the very beginning:
var asnserver="localhost:49200" and make it point to the new address:port pair. No further change is required in the remaining JS code.
Any feedback or pull request to improve the code is welcome. Feel free to contribute!